Cato Networks
Cato Networks provides an enterprise cloud service offering several integrated networking and security tools. These can be used to connect "all branch offices, mobile users, physical and cloud data centers to provide secure WAN and internet connectivity everywhere."
To set up Cato Networks, you’ll need to:
- Review the requirements.
- Create an API key and obtain your Account ID from Cato Networks.
- Set up the Cato Networks event source in InsightIDR.
- Verify the configuration works.
Requirements
To complete the tasks outlined in this article, you’ll need the following:
- Access to a Cato Networks account with Editors access.
- API Key
- Account ID
Create an API key and Obtain your Account ID from Cato Networks
- Log in to your Cato Networks Editors Account.
- Record the Account ID that appears in the Cato Networks URL to a temporary text file. If you have multiple account IDs you wish to monitor, repeat this step for each. For example, if your Account ID is "1234" then the URL should look like: https://rapid7.catonetworks.com/#!/1234/topology
- Open the Navigation Menu and click Administration > API Management.
- Enter the Name of the key and click Apply. If the API key has been successfully added a window will appear displaying the new API key.
- Click the Copy Icon to copy your API key and ensure you Save it to a secure location. Once you close the window you can no longer access the value of the API key.
- Click Ok to close the API window.
- On the API Management page click the Event Feed Enabled toggle to enable your account to send events to the Cato API servers.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Cato Networks in the event sources search bar.
- In the Product Type filter, select Firewall.
- Select the Cato Networks event source tile.
- Choose your collector and Cato Networks from the event source drop-down.
- Name your event source. If you do not, InsightIDR will apply the default event source name “Cato Networks”.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Enter the Account ID that you obtained from your Cato Networks Profile URL. If you wish to enter multiple Account IDs you must separate them using a comma.
- Select your credentials, or create a new credential. If you’re creating a new credential, enter the API key you created in Cato Networks.
- Click Save.
Verify the configuration
Complete the following steps to view your logs and ensure events are making it to the Collector.
- On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
- Click Log Search in the left menu.
- Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cato Networks” if you did not name the event source. Cato Networks logs flow into the Cato Networks log set.
Logs take a minimum of 7 minutes to appear in Log Search.
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.
Sample Logs
Example of internet firewall logs:
JSON
1{2"time": "2021-12-01T15:07:11Z",3"fieldsMap": {4"ISP_name": "Firewall (Internet) ISP",5"account_id": "5678",6"action": "Monitor",7"application": "DNS",8"dest_ip": "10.0.0.2",9"dest_is_site_or_vpn": "Site",10"dest_port": "53",11"dest_site": "CSI LV-SWI",12"event_count": "1",13"event_sub_type": "Internet Firewall",14"event_type": "Security",15"internalId": "FH67fuFj6H",16"ip_protocol": "UDP",17"os_type": "OS_WINDOWS",18"os_version": "10",19"pop_name": "PopName",20"rule": "Migrated by Cato Allow All WAN",21"rule_id": "1234",22"rule_name": "Migrated by Cato Allow All WAN",23"src_country": "United States of America",24"src_ip": "10.0.0.1",25"src_is_site_or_vpn": "VPN User",26"src_isp_ip": "10.0.0.3",27"src_site": "John Adams",28"time": "1638371231662",29"vpn_user_email": "john.adams@catonetworkscustomer.com"30}31}
Example of WAN firewall logs:
JSON
1{2"time": "2021-12-01T15:06:59Z",3"fieldsMap": {4"ISP_name": "Firewall (WAN) ISP",5"account_id": "5678",6"action": "Monitor",7"application": "HTTP(S)",8"dest_ip": "10.0.0.5",9"dest_is_site_or_vpn": "Site",10"dest_port": "80",11"dest_site": "CSI LV-SWI",12"event_count": "1",13"event_sub_type": "WAN Firewall",14"event_type": "Security",15"internalId": "f85jFRj683",16"ip_protocol": "TCP",17"os_type": "OS_WINDOWS",18"os_version": "10",19"pop_name": "PopName",20"rule": "Migrated by Cato Allow All WAN",21"rule_id": "1234",22"rule_name": "Migrated by Cato Allow All WAN",23"src_country": "United States of America",24"src_ip": "10.0.0.4",25"src_is_site_or_vpn": "VPN User",26"src_isp_ip": "10.0.0.6",27"src_site": "Kerry Smith",28"time": "1638371219092",29"vpn_user_email": "kerry.smith@catonetworkscustomer.com"30}31}